Category Archives: Security

New Exploit Kits Improve Evasion Techniques

Exploit kits are toolkits that malicious developers use to take advantage of client-side vulnerabilities, targeting web browsers and programs that can be accessed through browsers. The most common exploit targets are Java, Flash, PDFs, and Silverlight. Exploit kits use lots of techniques to evade detection by security products.

Exploit kits use several common techniques:

  • Code obfuscation using commercial packers
  • String manipulation
  • Dummy or garbage functions as anti-emulation tricks

The latest exploit kits on the black market are very stealthy. They look for the presence of virtual machines (VMs) and antimalware products on a system before infecting it. These techniques help evade automated analysis and detection, and they also make reverse-engineering the malware tricky. At McAfee Labs we recently investigated two recent exploit kits and reversed their techniques to understand how they work.

Angler Exploit Kit

Before exploiting a vulnerable program in a web browser, the landing page of the Angler Exploit Kit searches for the presence of VM and security product driver files in windir%system32drivers.

File Enumeration Through Microsoft XMLDOM ActiveXFile enumeration through the Microsoft XMLDOM ActiveX control.

Angler searches for several files, including:

  • A virtual keyboard plug-in to identify Kaspersky software
  • tmactmon.sys, tmevtmgr.sys, tmeext.sys, tmnciesc.sys, tmtdi.sys, tmcomm.sys, and TMEBC32.sys (Trend Micro)
  • vm3dmp.sys, vmusbmouse.sys, vmmouse.sys, and vmhgfs.sys (VMware)
  • VBoxGuest.sys, VBoxMouse.sys, VBoxSF.sys, and VBoxVideo.sys (Virtual Box VM)
  • prl_boot.sys, prl_fs.sys, prl_kmdd.sys, prl_memdev.sys, prl_mouf.sys, prl_pv32.sys, prl_sound.sys, prl_strg.sys, prl_tg.sys, and prl_time.sys (Parallel Desktop virtualization)

The malware also checks certain file locations to find antimalware products or VMs by enumerating their corresponding files using the Res:// protocol. It also checks for ActiveX or browser plug-ins related to security products.

AV_productFile enumeration through the res:// protocol.

Nuclear Exploit Kit

Recent versions of the Nuclear Exploit Kit use the same technique to detect VMs and security products on a compromised machine. One difference is that Nuclear uses these techniques in its redirectors, unlike other kits that used them on the landing pages. Once these redirectors confirm that there is no trace of VM or security products, then it redirects to the actual landing page.

nuclearkitNuclear Exploit Kit’s redirector.

We have seen similar tricks used by Rigkit to evade detection. At McAfee Labs we closely monitor these kits and offer generic coverage for them through our DATs.

The post New Exploit Kits Improve Evasion Techniques appeared first on McAfee.

Potentially catastrophic bug bites all versions of Windows. Patch now

Microsoft has disclosed a potentially catastrophic vulnerability in virtually all versions of Windows. People operating Windows systems, particularly those who run websites, should immediately install a patch Microsoft released Tuesday morning.

The vulnerability resides in the Microsoft secure channel (schannel) security component that implements the secure sockets layer and transport layer security (TLS) protocols, according to a Microsoft advisory. A failure to properly filter specially formed packets makes it possible for attackers to execute attack code of their choosing by sending malicious traffic to a Windows-based server.

While the advisory makes reference to vulnerabilities targeting Windows servers, the vulnerability is rated critical for client and server versions of Windows alike, an indication the remote-code bug may also threaten Windows desktops and laptop users as well. Amol Sarwate, director of engineering at Qualys, told Ars the flaw leaves client machines open if users run software that monitors Internet ports and accepts encrypted connections.

Read 4 remaining paragraphs | Comments

Microsoft Patch Tuesday – November 2014

This month the vendor is releasing fourteen bulletins covering a total of 33 vulnerabilities. Fourteen of this month's issues are rated ’Critical’.

ms-tuesday-patch-key-concept-white-light 2_0.png

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing fourteen bulletins covering a total of 33 vulnerabilities. Fourteen of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the November releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms14-nov

The following is a breakdown of the issues being addressed this month:

  1. MS14-064 Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443)

    Windows OLE Automation Array Remote Code Execution Vulnerability (CVE-2014-6332) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.

    Windows OLE Remote Code Execution Vulnerability (CVE-2014-6352) MS Rating: Important

    A remote code execution vulnerability exists in the context of the current user that is caused when a user downloads, or receives, and then opens a specially crafted Microsoft Office file that contains OLE objects.

  2. MS14-065 Cumulative Security Update for Internet Explorer (3003057)

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-4143) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6337) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6341) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6342) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6343) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6344) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6347) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6348) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6351) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6353) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Elevation of Privilege Vulnerability (CVE-2014-6349) MS Rating: Important

    An elevation of privilege vulnerability exists when Internet Explorer does not properly validate permissions under specific conditions. An attacker who successfully exploited this vulnerability could run scripts run with elevated privileges.

    Internet Explorer Elevation of Privilege Vulnerability (CVE-2014-6350) MS Rating: Important

    An elevation of privilege vulnerability exists when Internet Explorer does not properly validate permissions under specific conditions. An attacker who successfully exploited this vulnerability could run scripts run with elevated privileges.

    Internet Explorer Cross-domain Information Disclosure Vulnerability (CVE-2014-6340) MS Rating: Important

    An information disclosure vulnerability exists when Internet Explorer does not properly enforce cross-domain policies. An attacker could exploit this issue to gain access to information in another domain or Internet Explorer zone.

    Internet Explorer Cross-domain Information Disclosure Vulnerability (CVE-2014-6345) MS Rating: Important

    An information disclosure vulnerability exists when Internet Explorer does not properly enforce cross-domain policies. An attacker could exploit this issue to gain access to information in another domain or Internet Explorer zone.

    Internet Explorer Cross-domain Information Disclosure Vulnerability (CVE-2014-6346) MS Rating: Important

    An information disclosure vulnerability exists when Internet Explorer does not properly enforce cross-domain policies. An attacker could exploit this issue to gain access to information in another domain or Internet Explorer zone.

    Internet Explorer Clipboard Information Disclosure Vulnerability (CVE-2014-6323) MS Rating: Important

    An information disclosure vulnerability exists when Internet Explorer does not properly restrict access to the clipboard of a user who visits a website. The vulnerability could allow data stored on the Windows clipboard to be accessed by a malicious site. An attacker could collect information from the clipboard of a user if that user visits the malicious site.

    Internet Explorer ASLR Bypass Vulnerability (CVE-2014-6339) MS Rating: Important

    A security feature bypass vulnerability exists when Internet Explorer does not use the Address Space Layout Randomization (ASLR) security feature, which could allow an attacker to more reliably predict the memory offsets of specific instructions in a given call stack.

  3. MS14-066 Vulnerability in Schannel Could Allow Remote Code Execution (2992611)

    Microsoft Schannel Remote Code Execution Vulnerability (CVE-2014-6321) MS Rating: Critical

    A remote code execution vulnerability exists in the Secure Channel (Schannel) security package due to the improper processing of specially crafted packets.

  4. MS14-067 Vulnerability in XML Core Services Could Allow Remote Code Execution (2993958)

    MSXML Remote Code Execution Vulnerability (CVE-2014-4118) MS Rating: Critical

    A remote code execution vulnerability exists when Microsoft XML Core Services (MSXML) improperly parses XML content, which can corrupt the system state in such a way as to allow an attacker to run arbitrary code. The vulnerability could allow a remote code execution if a user opens a specially crafted file or webpage.

  5. MS14-069 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3009710)

    Microsoft Office Double Delete Remote Code Execution Vulnerability (CVE-2014-6333) MS Rating: Important

    A remote code execution vulnerability exists in the context of the current user that is caused when Microsoft Word does not properly handle objects in memory while parsing specially crafted Office files.

    Microsoft Office Bad Index Remote Code Execution Vulnerability (CVE-2014-6334) MS Rating: Important

    A remote code execution vulnerability exists in the context of the current user that is caused when Microsoft Word improperly handles objects in memory while parsing specially crafted Office files. This could corrupt system memory in such a way as to allow an attacker to execute arbitrary code.

    Microsoft Office Invalid Pointer Remote Code Execution Vulnerability (CVE-2014-6335) MS Rating: Important

    A remote code execution vulnerability exists in the context of the local user that is caused when Microsoft Word improperly handles objects in memory while parsing specially crafted Office files. This could corrupt system memory in such a way as to allow an attacker to execute arbitrary code.

  6. MS14-070 Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935)

    TCP/IP Elevation of Privilege Vulnerability (CVE-2014-4076) MS Rating: Important

    An elevation of privilege vulnerability exists in the Windows TCP/IP stack (tcpip.sys, tcpip6.sys) that is caused when the Windows TCP/IP stack fails to properly handle objects in memory during IOCTL processing.

  7. MS14-071 Vulnerability in Windows Audio Service Could Allow Elevation of Privilege (3005607)

    Windows Audio Service Vulnerability (CVE-2014-6322) MS Rating: Important

    An elevation of privilege vulnerability exists in the Windows audio service component that could be exploited through Internet Explorer. The vulnerability is caused when Internet Explorer does not properly validate permissions under specific conditions, potentially allowing script to be run with elevated privileges.

  8. MS14-072 Vulnerability in .NET Framework Could Allow Elevation of Privilege (3005210)

    TypeFilterLevel Vulnerability (CVE-2014-4149) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that .NET Framework handles TypeFilterLevel checks for some malformed objects.

  9. MS14-073 Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege (3000431)

    SharePoint Elevation of Privilege Vulnerability (CVE-2014-4116) MS Rating: Important

    An elevation of privilege vulnerability exists when SharePoint Server does not properly sanitize page content in SharePoint lists. An authenticated attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the logged-on user.

  10. MS14-074 Vulnerability in Remote Desktop Protocol could allow Security Feature Bypass (3003743)

    Remote Desktop Protocol (RDP) Failure to Audit Vulnerability (CVE-2014-6318) MS Rating: Important

    A security feature bypass vulnerability exists in Remote Desktop Protocol (RDP) when RDP does not properly log failed logon attempts. The vulnerability could allow an attacker to bypass the audit logon security feature. The security feature bypass by itself does not allow an arbitrary code execution. However, an attacker could use this bypass vulnerability in conjunction with another vulnerability.

  11. MS14-076 Vulnerability in Internet Information Services (IIS) Could Allow Security Feature Bypass (2982998)

    IIS Security Feature Bypass Vulnerability (CVE-2014-4078) MS Rating: Important

    A security feature bypass vulnerability exists in Internet Information Services (IIS) that is caused when incoming web requests are not properly compared against the 'IP and domain restriction' filtering list.

  12. MS14-077 Vulnerability in Active Directory Federation Services could allow Information Disclosure (3003381)

    Active Directory Federation Services Information Disclosure Vulnerability (CVE-2014-6331) MS Rating: Important

    An information disclosure vulnerability exists when Active Directory Federation Services (AD FS) fails to properly log off a user. The vulnerability could allow an unintentional information disclosure.

  13. MS14-078 Vulnerability in IME (Japanese) Could Allow Elevation of Privilege (2992719)

    Microsoft IME (Japanese) Elevation of Privilege Vulnerability (CVE-2014-4077) MS Rating: Moderate

    An elevation of privilege vulnerability exists in Microsoft IME for Japanese that is caused when a vulnerable sandboxed application uses Microsoft IME (Japanese).

  14. MS14-079 Vulnerability in Kernel-Mode Driver Could Allow Denial of Service (3002885)

    Denial of Service in Windows Kernel Mode Driver Vulnerability (CVE-2014-6317) MS Rating: Moderate

    A denial of service vulnerability exists in the Windows kernel-mode driver that is caused by the improper handling of TrueType font objects in memory.

More information on the vulnerabilities being addressed this month is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

Bypassing Microsoft’s Patch for the Sandworm Zero Day: a Detailed Look at the Root Cause

On October 21, we warned the public that a new exploitation method could bypass Microsoft’s official patch (MS14-060, KB3000869) for the infamous Sandworm zero-day vulnerability. As Microsoft has finally fixed the problem today via Security Bulletin MS14-064, it’s time to uncover our findings and address some confusion. This is the first of two posts on this issue. (McAfee has already delivered various protections against this threat to our customers.)

Sandworm background

This zero-day attack was disclosed at almost the same time that the patch was available on the last “Patch Tuesday” (October 14). We found that this is a very serious zero-day attack not only because the attack targeted many sensitive organizations (such as NATO), but also from the technical properties of the vulnerability and exploitation.

  • This vulnerability is a logic fault. It’s not related to memory corruption (such as a heap-based overflow or use-after-free) so proven-effective exploitation mitigations such as ASLR and DEP on Windows 7 or later will fail to block the exploit. Nor can Microsoft’s enhanced security tool Enhanced Mitigation Experience Toolkit (EMET) block the attack by default.
  • Though the in-the-wild samples are organized as PowerPoint Show (.ppsx) files, this is due to a vulnerability in the Windows Packager COM object (packager.dll). Considering that COM objects are OS-wide function providers, any applications installed on the system can invoke them, which means that other formats can be attacks paths as well. This indicates that all Windows users, not only Office users, are at risk.

The attack has been going on for quite a long time. For example, an exploit generator found on VirusTotal suggests that the vulnerability was discovered in June 2013.

Microsoft’s patch and two bypasses

On October 17, three days after its release, we found that Microsoft’s patch could be bypassed with some tricks. We reported our findings to Microsoft on the same day, which lead to an emergency Security Advisory 3010060, released October 21, with a temporary “Fix It.”

We created a proof of concept (PoC) demonstrating the bypass. We later learned that some other parties, including the Google Security Team, have detected in-the-wild samples that are said to bypass the patch. We analyzed some samples in the wild, and found that they will trigger a user account control (UAC) warning when one logs in with a standard nonadministrator account. However, users on an administrator account or who have disabled the UAC will not see the warning, and the malicious code will execute automatically.

Our PoC takes another path and does not trigger the UAC at all. Thus our PoC is a full bypass while the in-the-wild samples are a partial bypass.

At the root

The vulnerability exists in the Packager object. In fact, there are two issues rather than one.

The first issue allows an attacker to drop an arbitrary file into the temp folder. (We warned the public about this security issue in a July post. Anyone who followed our advice at that time, preventing Office from invoking the Packager object, is immune to the Sandworm attack.)

The second issue is the core of the matter. While the former allows only the writing of a file into the temp folder, the latter allows an attacker to “execute” the file from the temp folder. Let’s take a closer look at how it works.

Looking at the slide definition XML file inside the .ppsx sample, we find something interesting at the following lines:

The “verb” definition in slide1.xml.

The Packager is an OLE object that supports embedding one file into another container application. As described on this MSDN page, OLE objects that provide embedding functions must expose the interface IOleObject. For the preceding XML definition, this calls the DoVerb() method of this IOleObject. Another MSDN page provides the prototype of this method:

Prototype of the IOleObject::DoVerb() function.

And the following shows the location of the IOleObject and the DoVerb() function in the packager.dll:

The IOleObject interface and the DoVerb() function in packager.dll.

The string “cmd=3″ in the slide1.xml suggests that the value of the first parameter (iVerb) is 3. Depending on different values of iVerb, we see a switch to different code in IOleObject::DoVerb(). Following we have the REed code (source code generated through reverse engineering) when iVerb equals 3.

The REed code for handling iVerb=3 in the IOleObject::DoVerb() function.

With further research and testing, we realized that this code performs the same action as clicking the second item on the following menu after right-clicking the filename, as shown here. (The print in red is our addition.)

The “right-click” menu for .inf file.

Reading the whole code of IOleObject::DoVerb(), we see that depending on different values of iVerb, the code will switch to different code paths. We split them into two situations.

  • For iVerb values greater than or equal to 3, the code will perform the same action as clicking on the pop-up menu. As we see in the REed code, it subtracts the fixed value 2 from the iVerb value 3, with the result 1, which represents the second item on the right-click menu. We can also invoke any command below “Install” on the menu by supplying a larger iVerb value. For example, if we want to click the third item on the preceding menu, we can set iVerb=4 (“cmd=4”) in the slide definition file.
  • For an iVerb value less than 3, the program will follow other code that we have not shown. These actions, such as performing the default action (iVerb=2) or renaming the display name of the Packager object (iVerb=1), are handled well from a security point of view.

We are focusing on the first situation: When the iVerb value is greater than or equal to 3, it will effectively click “Install” or a lower choice from the pop-up menu for the specific file.

For a .inf file, the right-click menu will appear exactly as in our image for a default Windows setup. Thus, in this example “InfDefaultInstall.exe” will execute and various bad thing will happen.

In this post, we have introduced the case and explained the essence of the vulnerability. In a second part, we will discuss the MS14-060 patch, how to bypass it, and more. Watch this space for our next post.

The post Bypassing Microsoft’s Patch for the Sandworm Zero Day: a Detailed Look at the Root Cause appeared first on McAfee.

Stuxnet worm infected high-profile targets before hitting Iran nukes

The Stuxnet computer worm that attacked Iran's nuclear development program was first seeded to a handful of carefully selected targets before finally taking hold in uranium enrichment facilities, according to a book published Tuesday.

The new account, included in Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon by Wired reporter Kim Zetter, is at odds with the now-popular narrative that the malware first penetrated Iran's Natanz enrichment facility and later unexpectedly broke loose to infect hundreds of thousands of other sites across the globe. That earlier account, provided by New York Times journalist David Sanger, characterized the escape outside of Natanz as a programming error that was never intended by engineers in the US and Israel, the two countries Sanger and Zetter said devised and unleashed Stuxnet. According to Zetter, the world's first known cyber weapon first infected Iranian companies with close ties to Iranian nuclear facilities and only later found its way to Natanz.

"To get their weapon into the plant, the attackers launched an offensive against four companies," Zetter wrote. "All of the companies were involved in industrial control processing of some sort, either manufacturing products or assembling components or installing industrial control systems. They were likely chosen because they had some connection to Natanz as contractors and provided a gateway through which to pass Stuxnet to Natanz through infected employees."

Read 6 remaining paragraphs | Comments

Don’t blame Obama, but DDoS attacks are now using his press releases

There he goes again, just giving ammunition to DDoS attacks.

Akamai has issued a security bulletin (PDF) about a new form of Domain Name Service-based distributed denial of service (DDoS) attacks that emerged in October, attacks that can significantly boost the volume of data flung at a targeted server. The method builds upon the well-worn DNS reflection attack method used frequently in past DDoS attacks, exploiting part of the DNS record returned by domain queries to increase the amount of data sent to the target—by stuffing it full of information from President Barack Obama’s press office.

DNS reflection attacks (also known as DNS amplification attacks) use forged requests to a DNS server for the Internet Protocol address and other information about a specific host and domain name. For example, a response from Google’s DNS server typically returns something like this—a simple response with the canonical name (CNAME) of the DNS address sent in the request and an IPv4 or IPv6 address for that name:

DNS requests are usually sent using the User Datagram Protocol (UDP), which is “connectionless." It doesn’t require that a connection be negotiated between the requester and the server before data is sent to make sure it’s going to the right place. By forging the return address on the DNS request sent to make it look like it came from the target, an attacker can get a significant boost in the size of a DDoS attack because the amount of data sent in response to the DNS request is significantly larger.

Read 4 remaining paragraphs | Comments

Copyright © 2014. Powered by WordPress & Romangie Theme.